Results 1 to 3 of 3

Thread: proftpd chroot option

  1. April 29th, 2003, 02:16 AM #1
    yanksfan
    yanksfan is offline
    Senior Member
    Join Date
    Apr 2002
    Posts
    214

    proftpd chroot option

    Hello everyone,
    While reading proftpd's documentation, I came across something regarding their DefaultRoot option, which makes a chroot call to put them in a chroot jail at login:

    When the specified chroot directory is a symlink this will be resolved to it's parent first before setting up the chroot. This can have unwanted side effects. For example if a chroot is to be configured within space to which a user as shell access, the chroot directory could be converted to a symlink pointing at '/'. Thus the chroot would be to the root directory of the server.
    (Originally from http://proftpd.linux.co.uk/docs/dire...faultRoot.html)
    I'm still in the process of setting up webhosting. This says if they have shell access, they're able to make a symlink, and possibly exploit the issue. I wasn't planning on giving them shell access at all, but possibly restricted CGI access (via sbox, a cgi wrapper, which also chroots the script to their home directory, and I might add that I set that up successfully )

    So, would that security hole be an issue even if I only give them a 'jailed' home directory and 'jailed' cgi script access?

    Thanks
    -Mike
    Either get busy living or get busy dying.

    -The Sawshank Redemption
    Reply With Quote Reply With Quote
  2. April 29th, 2003, 11:02 AM #2
    slarty
    slarty is offline
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    If you make the chroot a directory in a directory they don't have write access to, it's not a problem.

    Then it still wouldn't be a problem unless they can make a CGI script that modifies it, which it probably wouldn't be able to right, because the CGI runs as a different user?

    Typically, chrooting them to their home directory is very safe.

    Oh yes, and this thread probably should have been in "*nix security" instead of chit-chat. It also gets on the front page so you will get a much better response.
    Reply With Quote Reply With Quote
  3. April 30th, 2003, 01:04 AM #3
    yanksfan
    yanksfan is offline
    Senior Member
    Join Date
    Apr 2002
    Posts
    214
    Thanks for your reply, slarty.

    Is there anything else I should know before starting a webhosting thing (like security settings I should change, things I should be aware of, etc)?

    I might also enable SSI (IncludesNOEXEC) and limited .htaccess abilities for the users. Would that be a problem at all?

    Also, to the admins/moderator, if you could please move this thread to the *nix security discussion forum. Sorry about the mishap.

    Thanks
    Either get busy living or get busy dying.

    -The Sawshank Redemption
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules